MRes and PhD projects

MRes and PhD projects

MRes and PhD projects

Title: A data-driven analysis tool to investigate Content dependencies and Chains of malicious content injection on the Web

Description: The Web is a tangled mass of interconnected services, where websites import external resources from third-party domains serving various purposes including analytics, tracking, advertisement or external dynamic content display. The resources dependency however is quite often extended by third-party domains loading the requested content further from other domains. This creates a chain of dependency where content is being served from third-parties that the first-party websites would be implicitly trusting. The chain of dependency can be loosely controlled as first-party websites often have little, if any, visibility of where the resources loaded originate from. In this project, we aim to design and implement a data-driven analysis tool to characterize this implicit trust in the chain of dependency for Alexa’s top-1M websites and to measure the risks that first-party websites may be undertaking while loading resources from possibly malicious domains.

Description: In recent years, malicious Internet activity campaigns have been showing an alarming increasing resiliency against detection techniques using swift adaptation and some advanced evasion techniques. Leveraging a worldwide unique Dataset of more than 650 millions entries and covering over 10 years of malicious activity, this project aims to investigate Internet malicious activity and to characterise and quantify their impact on online services.

Description: "This project aims to introduce privacy risks associated with users’ touch gestures across multiple mobile devices. The project is an extension of our previous work in which we quantified the uniqueness of touch gestures on a single mobile device, and thus showed that users could be identified through the unique patterns of their touch gestures. The threat is known as “Touch-Based Tracking” on mobile devices. For this project, we will first perform user study to collect the data on different devices via mobile app, and then quantify and track users using a probabilistic framework on multiple devices. Another interesting features about this project is to obfuscate the user touch-data using privacy preserving methods. We will use Generative Adversarial Network (GANS) to preserve the privacy of a user’s touch-data. The project requires a sound knowledge of android applications and java language. Objectives:1. Data collection using TouchTrack app on multiple devices2. Design a probabilistic methodology3. Quantify User Uniqueness on Multiple Devices4. Perform Experiments and Summarize Results5. Design a privacy-preserved defensive (GANS based) methodology for touch-data privacy6. Implement the privacy-preserved methodology 7. Evaluate and Summarize Results ".

Apply now and join us.

Contact: Prof Dali Kaafar (Dali.kaafar@mq.edu.au).

Title: Privacy-Preserving Web Browser Plugin for Online Data

Description: This project aims to preserve the privacy of user’s online data from the inference attacks by an eavesdropper who gets access to (anonymized) data. We intend to develop a Web browser plugin for real-time privacy risk prediction and obfuscation of Web data. The framework is made resilient to adversarial attacks, where the adversary with the knowledge of the model and calcualted probabilities can make inferences about the actual data and the obfuscated data.Objectives: Design a browser plugin for the framework of privacy risk prediction and obfuscation for Web data (we aim to start with Web search queries only) Implement the plugin Testing Deploy and conduct user study experiments using the developed plugin Research other methods for improving privacy/utility of obfuscation – such as Dirichlet priors and Generative Adversarial Networks (GANs).

Description: To guarantee confidentiality and integrity of user sensitive data, mobile apps such as Facebook, CommsBank or YouTube often use HTTPS. Security research communities have spent a considerable effort focusing on measuring and analyzing HTTPS adoption in desktop computing platforms. Several proposals have been proposed to enforce HTTPS and to inform users if sensitive data is transferred via non-secure HTTP. However, HTTPS adoption and security analysis of Mobile apps received very little to no attention. To fill this gap, this project aims to design and implement a measurement and analysis framework of Android mobile apps leveraging on static code analysis and runtime dynamic analysis techniques.

Apply now and join us.

Contact: Prof Dali Kaafar (Dali.kaafar@mq.edu.au).

Title: A Dynamic Analysis Testbed for Mobile Apps Security

Description: A general approach to the security and privacy issues of mobile apps is through static code analysis and runtime dynamic analysis. The former involves source code investigation and often requires less resources and computation-time. However, static code analysis often fails to capture the actual behavior of mobile apps and may result in high false positive and false negative rates. To overcome this ineffectiveness at a cost of conservative resource requirements, runtime dynamic analysis reveals apps’ behaviors by leveraging apps’ network traffic and requests to sensitive resources. To complement our static analysis of mobile apps, in this project we aim to design and implement a framework to automatically perform runtime dynamic analysis of mobile apps at scale. Join a vibrant research team investigating Mobile Apps Security. We are raising awarneess and preventing Mobile Security Flaws. There has been quite a lot of media coverage on our research (e.g. covering VPN Mobile Apps Security and Privacy) including NYTimes, CNN, ITWire, Slashdot, Security Week, ABC News, TheRegister, Technology Decisions, SHM, …

Apply now and join us.

Contact: Prof Dali Kaafar (Dali.kaafar@mq.edu.au).

Title: Formal Methods for Cyber Risk Modelling

Profile: Formal Methods

Description: This project concerns the formal analysis of cyber risk. Cyber risk imposes an increasing threat to businesses and a project in this theme will concentrate on the precise modelling of cyber attacks based on historical incidents. The general methodology is to formally define and quantify the notion of severity for selected cyber attacks (e.g. duration and throughput for DoS attacks, number of records for data breach attacks, size of compromised network/machines for servers and botnet farms, etc.). On the one hand, the severities are linked to root technical causes which, ultimately, are captured within the developed formal models. On the other hand, the severities can also be transformed into concrete losses which are important for the evaluation of digital business vulnerabilities and the effectiveness of protective measures for various known cyber attacks.The goal is to gain a firm understanding of the impact of low frequency but high severity cyber attacks with a view to pricing the associated risks.

Contact: Prof Annabelle McIver

Title: Algebras for privacy

Description: Differential privacy has become an important concept for protecting sensitive data because it provides a notion of a strong privacy guarantee. Originally formulated for queries to statistical databases, variations of the idea can be used to ensure privacy in other domains (such as location privacy). This project focusses on generalising these ideas by investigating the algebraic properties of privacy mechanisms to enable mechanisms to be combined in various ways to understand privacy guarantees over other complex domains. The work will use novel theories of information flow based on channels, and will take examples and case studies from machine learning.

Contact: Prof Annabelle McIver

Title: Elliptic Curve Cryptography

Profile: Cryptography, Number Theory

Description: The use of elliptic curves in Public Key Cryptography has been first suggested in 1985. From this date, elliptic curves have become increasingly popular mainly because the only algorithms that we know to solve the discrete logarithm problem on generic curves are of exponential complexity. This is in contrast with the existence of sub-exponential algorithms to factor integers, which gives a direct attack against RSA. As a consequence, much shorter keys can be used in elliptic curve cryptography (ECC) to achieve the same level of security provided by RSA. For instance, a key of 224 bits in ECC is believed to be as secure as a 2048-bit RSA key. The goal of this project is to research new fast and secure ways to perform arithmetic on elliptic curves, in particular regarding the use of the bouble-base number system to speed-up scalar multiplications on elliptic Curves

Title: Human Factors of Security

Title: Blockchain Security

Profile: Data science, theory, System knowledge, Applied Cryptography

Contact: Prof Dali Kaafar

Title: Program Invariant Synthesis Using Machine Learning Techniques

Description: Static analysis of source code consists in building a mathematical representation (over-approximation) of the software and perform automated reasoning on the models to detect bugs or formally establish the absence of bugs. Static analysis techniques have made tremendous progress in the last decade and commercial tools are now routinely used to analyse safety critical source code. Establishing the absence of bugs for non-trivial programs (e.g. with loops, arrays) usually requires the discovery of program invariants. This process is in theory impossible to fully automate. In most cases, a human is asked to provide necessary invariants that can be used to prove that a program is bug-free. The manual techniques of synthesising invariants come more natural to human based learning. This is not scalable for larger programs as it requires the programmer to do a lot of additional work. The purpose of this project is to investigate possible techniques to automatically discover invariants using machine learning techniques.

Contact: A/Prof Franck Cassez and A/Prof Anthony Sloane

Title: Automated Software Verification – Static Analysis

Description: The software embedded in a modern car controls many tasks at the same time: fuel injection, brakes, cruise control and navigation system. Ensuring that those concurrent tasks are performed correctly is of utmost importance: applying the brakes should disable cruise control, otherwise the driver cannot stop the car; setting a target location in the navigation system should not monopolise the system, because the computer also controls vital tasks such as braking. Beyondcars, we rely heavily on software that is used to control other embedded systems including in heart pacemakers, trains, aeroplanes and the electric power grid. We address the problem of automatically establishing whether software is free of bugs. If it is bug-free, we aim to provide a formal proof. If it is not bug-free, we aim to provide a reproducible witness test that unveils the cause of the bug.

Contact: A/Prof Franck Cassez and A/Prof Anthony Sloane

Title: Program Termination via Trace Abstraction Refinement

Description: The most often used technique to discover bugs in source code is testing. However, testing is unsound and can never formally guarantee nor prove the absence of bugs. Another limitation of testing is that it is not suitable to discover bugs that manifest as infinite loops: the Zune player got stuck in such an infinite loop on december 31, 2008, a leap year, due to a buggy code snippet. Static analysis of source code consists in building a mathematical representation (over-approximation) of the software and perform automated reasoning on the models to detect bugs or formally establish the absence of bugs. Static analysis techniques have made tremendous progress in the last decade and commercial tools are now routinely used to analyse safety critical source code. Nethertheless, the analysis is often limited to safety properties (“something bad will never happen”). Termination (a program terminates on every input) is a liveness property (“something good will eventually happen”) and much harder to analyse than safety properties as it requires to exhibit or prove the absence of an infinite execution in the program.

Contact: A/Prof Franck Cassez and A/Prof Anthony Sloane

Title: Computation of WCET – Real-time systems

Description: Embedded real-time systems are composed of a set of tasks (software) that run on a given architecture (hardware). These systems are subject to strict timing constraints that must be enforced by a scheduler. Determining if a given scheduler can schedule the system is possible only if some bounds are known about the execution times of each task. Performance wise, determining tight bounds is crucial as using rough over-estimates might either result in a set of tasks being wrongly declared non schedulable, or leads to the choice of an overpowered and expensive hardware where a lot of computation time is lost. Given a program P, some input data d and the hardware H, the execution-time of P on input d on H, is the number of cycles needed by the processor to compute the resut of P on d. The program is given in binary code or equivalently in the assembly language of the target processor. The worst-case execution-time of program P on hardware H, WCET(P,H), is the supremum on all input data d, of the execution-times of P on every input d for H. The WCET problem consists in computing an upper bound for WCET(P,H). Ideally this upper bound should not be too coarse.